Secret backdoors found in firewall, VPN gear from Barracuda Networks

The undocumented accounts may have been around for a decade.

A variety of firewall, VPN, and spam filtering gear sold by Barracuda Networks contains undocumented backdoor accounts that allow people to remotely log in and access sensitive information, researchers with an Austrian security firm have warned.

The SSH, or secure shell, backdoor is hardcoded into "multiple Barracuda Networks products" and can be used to gain shell access to vulnerable appliances, according to an advisory published Thursday by SEC Consult Vulnerability Lab.

"This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog," the advisory states. The boxes are configured to listen for SSH connections to the backdoor accounts and will accept the username "product" with noUpdate: a "very weak" password to log in and gain access to the device's MySQL database. While the backdoors can be accessed by only a small range of IP addresses, many of them belong to entities other than Barracuda.

"The public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities—all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet," the advisory explained.

Barracuda issued several of its own security advisories on Wednesday here. "Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log in to a non-privileged account on the appliance from a small set of IP addresses," one advisory with a risk rating of "medium" stated. "The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit."

A timestamp and version relevant for the code that enables the backdoor bears a date from 2003, suggesting it may have existed in the Barracuda appliances for a decade. Advisories from SEC Consult and Barracuda also reference a serious authentication bypass bug. In an age of sophisticated advanced persistent threats, administrations who oversee any of this gear should update as soon as possible.

Story updated to correct sentence about password required to log in to the "product" account. Once logged in, no password is required to access the MySQL database. Thanks to SEC Consult's Johannes Greil for the correction.

Promoted Comments

As someone who has found numerous instances of these kinds of backdoors and just not bothered publishing them because they are obvious to anyone with basic skills and access to the device or software, I have to ask, WTF did you expect?

Does anyone seriously believe that programmers and vendors, let alone key suppliers to strategic institutions around the world, would supply software or hardware that they did not have a way to gain administrative access to for "support" purposes?

Does anyone really believe that if they outsource your development, the developers will not leave a "test harness" with a "debugging interface" in the compiled code? Really?

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

I'm shocked, Shocked!...

The firewalls we put in come with remote admin and remote support turned off by default, and you can turn it on if you wish.

Think of it as opting-in vs opting-out. When it comes to letting anyone else into my firewall, I much prefer the opt-in method.

I noted they aren't identifying the block owners. I assume they are state actors and this was all very purposeful. If I had any of their gear I'd be demanding all the blocks and then null routing them (before it even hit the firewall)...

The blocks are:205.158.110.0/24216.129.105.0/24(from one of the linked articles)

article wrote:

These ranges include some servers run by Barracuda Networks eg.spam04.barracuda.com (216.129.105.22)forum.barracudanetworks.com (216.129.105.38)barracudacentral.org (216.129.105.40)repsrv.barracuda.com (216.129.105.42)mirror01.barracudacentral.com (216.129.105.94)...

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

You obviously have no clue about the subject.

My company is a vendor for banking institutions, and I know that some of them use Barracuda hardware for VPN access. Someone is most likely sweating and working overtime now because of this scandal.

When you purchase a security product (which is not cheap by the way), it should go without saying that full control should be in your hands, and that all inbound access and all remote admininstration features are disabled by default, not to mention how remote administration should not work at all even if enabled without a proper password being set. Hell, even $60 TP-Link home routers do not allow remote administration by default.

@Dilbert:

Not everyone can afford Cisco equipment, not to mention that it requires a lot of serious training to learn how to use it properly while in many companies IT is understaffed and sometimes done by people from other departments (such as software engineering) if there is no dedicated IT personnel. Moreover, Cisco IOS has its own bugs and vulnerabilities, and without active support subscription (which adds to your expenses) you cannot have access to firmware updates.

Finally, Cisco is usually overkill if what you need is only multiple LAN-to-LAN VPN, not to mention that their latest and fully supported hardware accelerated routers offering such features (19xx, 29xx and 39xx series) cost an arm and leg ($3500+).

Lets not forget that the choice of hardware and software is not the main issue here -- much bigger and more serious issue is how nobody using Barracuda products didn't catch that open port during security audit.

WTF with the Reynolds wrap in this thread? I'm not a particular fan of the company or anything, but all these leaps to "state-sponsored" and "just WHO is this backdoor for" seem a little Alex Jones-crazy.

How stupid is it to not audit your firewall's default firewall rules? Pretty stupid. Or pretty lazy.

Damn, now I need to go clean my keyboard... Sprayed coffee on the "Reynold's Wrap" line. + 1 interweb for you today.

What am I missing? If the account is non-privileged, what's the real harm?

Just because the initial account isn't privileged doesn't mean local root escalation couldn't be found and abused to gain privileges.

Of course, if they can even GET to your device on Port 22 to use those credentials, you've already failed. The only way to access this device from their end shoudl be that they first have to infect one of the PCs that has a port on your management network the device sits on, that has firewall access on a subset of IPs to the device, and potentially has also been validated via NAC system ensuring your AV is fully functional to even let you on that segment, and at that point this assumes they know what system in your network to infect, and what the IP of the barracuda is, and they have full admin rights on your workstation, and 22 is not otherwise blocked on it or limited to certain applications. If they can get through all that just to hit your baracuda with a limited access account, and then FURTHER have the knowledge to crack into it and gain Root (on a device running VXWors of some other realtime OS with a non-common kernel), let them have it, because they already have all your databases, passwords, admin accounts, and other critical information....

I think the disturbing issue here is the undocumented part. Most IT staff know and understand that many appliances come with "default" settings and for security purposes you should change those settings.

(Default user name and passwords that give admin access to routers, switches, and WiFi)

Default SNMP namings and settings etc, etc, etc.

The big difference is most vendors DOCUMENT these default settings and usually warn about potential security risks.

Even consumer level appliances (like home WiFi routers, etc) have documented warnings about default settings Some appliances come with "Reset To Factory Defaults" abilities just in case you are locked out of a device.

The point is, if you are going to buy any device that deals with security from a company you want to be able to trust them. If Barracuda was open about the back doors and DOCUMENTED the back doors this would be a no-issue. The fact that this goes back almost a decade and not a whisper tells many IT people one of two things.

Either Barracuda engineers and testers are incompetent and never noticed the "hidden" backdoors, or Barracuda as a company wanted to have the ability to access the device remotely without needing action from the customer.

This is not trustworthy from the consumers point of view and is a very big black eye for Barracuda in the IT industry.

What am I missing? If the account is non-privileged, what's the real harm?

The harm has multiple measures. Beachhead has already been mentioned above, but more importantly it shows either a serious level of incompetence in source code management, security audits and QA or the spectre of intentionally providing means of covert access to their product for various reasons.

Either way, if I had this product on my network, it would already be turned off and the replacement from another vendor being overnighted.

This would not be allowed in any PCI-regulated environment, either. Actually, in what environment would a default account like this be allowable?

Lets not forget that the choice of hardware and software is not the main issue here -- much bigger and more serious issue is how nobody using Barracuda products didn't catch that open port during security audit.

Good point, except I'm betting that since the connection is apparently disallowed unless coming from an IP in those specific blocks, most security audits wouldn't detect it. Wouldn't a scanner need to spoof all IP addresses to have found this?

Having been audited by Grant Thorton I know that proper security audit requires not only port scanning, but also disclosure of the network and device configuration, and the list of running applications and services (such as SSH, databases, Terminal Services, Cisco IOS, Windows Server, etc) to the auditors so they can check for specific vulnerabilities in those applications and services.

If those allowed IP blocks and running SSH service are not visible in the device configuration (which is what the term "backdoor" implies), then this is not anyone's oversight, but pure malice on Barracuda's part.

zelannii wrote:

Of course, if they can even GET to your device on Port 22 to use those credentials, you've already failed. The only way to access this device from their end shoudl be that they first have to infect one of the PCs...

Are you speaking from your personal experience with those devices?

Because if you are not, then you simply misunderstood the issue.

Port 22 is open for INBOUND access (i.e. from WAN side of the device) for a specific set of public IP addresses. So unless you have a Barracuda firewall behind another firewall which is blocking that specific set of public IP addresses, anyone capable of spoofing an IP address can gain access to it.

As someone who has found numerous instances of these kinds of backdoors and just not bothered publishing them because they are obvious to anyone with basic skills and access to the device or software, I have to ask, WTF did you expect?

Does anyone seriously believe that programmers and vendors, let alone key suppliers to strategic institutions around the world, would supply software or hardware that they did not have a way to gain administrative access to for "support" purposes?

Does anyone really believe that if they outsource your development, the developers will not leave a "test harness" with a "debugging interface" in the compiled code? Really?

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

I'm shocked, Shocked!...

This comment tells me that you should never have authority over any kind of product development. Secret backdoors are unethical, needlessly risky, and for people who don't trust their own product.

WTF with the Reynolds wrap in this thread? I'm not a particular fan of the company or anything, but all these leaps to "state-sponsored" and "just WHO is this backdoor for" seem a little Alex Jones-crazy.

For the painfully literal set, that's a half-joke. Only a half joke because if you read the article you would see this:

Quote:

"The public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities...

Like has been posted already, barracuda has already fixed the issue with the updated patch. On top of that if you have the automatic security updates section turned on your barracuda appliance (it's on by default), then your device has already updated and you are set moving forward

a) yes this sucks and I'm sure they'll get a stern talking to from someone somewhereb) it's not the end of the world. The patches updated on the appliances without a reboot.

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

You obviously have no clue about the subject.

My company is a vendor for banking institutions, and I know that some of them use Barracuda hardware for VPN access. Someone is most likely sweating and working overtime now because of this scandal.

When you purchase a security product (which is not cheap by the way), it should go without saying that full control should be in your hands, and that all inbound access and all remote admininstration features are disabled by default, not to mention how remote administration should not work at all even if enabled without a proper password being set. Hell, even $60 TP-Link home routers do not allow remote administration by default.

Laughable. I don't think you can know whether said home routers do not allow remote access. Ever looked at disassembled router firmware or seen a service wakeup magic packet? It's some redpill shit, bubba...

The entire history of security products is littered with these things. It's why a certain firewall vendor was banned from certain installations in the 90's and why that Chinese vendor is not allowed to bid on supplying western infrastructure. There is going to be an "unsafe at any speed" or "silent spring" moment for software, because our economy depends on it but most of it is incredibly poor.

The real question after finding out what makes IT people so credulous, is whose ass this is.

It's hard to believe that they weren't aware of the issue.It's even more incredible that the set of credentials is so ludicrous!

...and somehow, claiming a restricted set of IP blocks the access could come from, as a mitigation?Yeah, a minor mitigation. Not like I want ANYONE having carte-blanche access to my firewall! [Sometimes, that *especially* includes the vendor!]

IMO, getting caught doing this, is an instant death-penalty. I will never, *ever* consider buying equipment from a vendor who has done this.

Words hardly suffice.

I don't hate to say this... Barracuda needs to be sued into oblivion, and some folks at Barracuda need to go to prison. Anyone who knew of this backdoor, anyone who authorized it, and (if they knew about it and sold it to government buyers) anyone who acted as a salesman. Because the words of the day are ESPIONAGE and SABOTAGE.

Cue the FBI raids in 3, 2, 1......

I agree with you totally. Brings back memories of McAfee and Norton Firewall software, when they first came out, and they were caught letting aprox.250 companies through your firewall. If I remember, it was about Ad money. All that happened then was "Were sorry, their will be a patch out within the week." end of story. Ive never forgiven those two companies for the arrogance they showed, even at that time. Have always turned people away from their products and will continue too.

This comment tells me that you should never have authority over any kind of product development. Secret backdoors are unethical, needlessly risky, and for people who don't trust their own product.

Sorry for the multi-post but have to respond here.

The original post pointed out that I have found numerous ones planted by developers and other parties. I have found sabotaged algorithms, escrow keys, hidden user databases, compiler tricks and packing obfuscators, magic packets, covert channels, all in addition to the usual overflows and injection vulns. I have never created them.

Most product managers lack the technical depth to produce secure products, and it's difficult to recover the extra cost of doing it right. A sound security architecture is going to cost a minimum of %10-%15 of development and nobody wants to pay when they can just pass the cost on as hidden risk to their customers.

In most cases, nobody is responsible and the risk from poor code is socialized. This works fine until it doesn't. Caveat emptor.

I don't hate to say this... Barracuda needs to be sued into oblivion, and some folks at Barracuda need to go to prison. Anyone who knew of this backdoor, anyone who authorized it, and (if they knew about it and sold it to government buyers) anyone who acted as a salesman. Because the words of the day are ESPIONAGE and SABOTAGE.Cue the FBI raids in 3, 2, 1......

You can't see a connection between an undocumented back door and activities such as those? He didn't say it was intentional, but it certainly makes it easy.

Quote:

sab·o·tage (sb-täzh)n.1. Destruction of property or obstruction of normal operations, as by civilians or enemy agents in time of war.2. Treacherous action to defeat or hinder a cause or an endeavor; deliberate subversion.tr.v. sab·o·taged, sab·o·tag·ing, sab·o·tag·esTo commit sabotage against.

Leaving a backdoor open destroys no property and hinders no endeavors.

Someone using the backdoor for nefarious purposes could destroy property and hinder endeavors, but the folks at Barracuda had no more to do with that than Ford has to do with drunk driving deaths, no more than Leggs has to do with bank robberies, etc. This assumes, of course, the folks at Barracuda weren't using this backdoor for nefarious purposes to destroy property and hinder endeavors, but the article doesn't suggest that.

Imagine the bank you banked at used this firewall and the only thing protecting your life savings was the user name PRODUCT, a blank password, and the hopes that someone doesn't know how to spoof an IP address.

It begs the question. IS barracuda that dumb or are they that devious? Either way it does not look good for a company trying to sell "security" to medium-enterprise markets.

Like has been posted already, barracuda has already fixed the issue with the updated patch. On top of that if you have the automatic security updates section turned on your barracuda appliance (it's on by default), then your device has already updated and you are set moving forward

a) yes this sucks and I'm sure they'll get a stern talking to from someone somewhereb) it's not the end of the world. The patches updated on the appliances without a reboot.

not a whole lot to see here, move along :-)

What else is undocumented? Instances like this are an instant crushing blow to a company's reputation.

I don't hate to say this... Barracuda needs to be sued into oblivion, and some folks at Barracuda need to go to prison. Anyone who knew of this backdoor, anyone who authorized it, and (if they knew about it and sold it to government buyers) anyone who acted as a salesman. Because the words of the day are ESPIONAGE and SABOTAGE.Cue the FBI raids in 3, 2, 1......

You can't see a connection between an undocumented back door and activities such as those? He didn't say it was intentional, but it certainly makes it easy.

Quote:

sab·o·tage (sb-täzh)n.1. Destruction of property or obstruction of normal operations, as by civilians or enemy agents in time of war.2. Treacherous action to defeat or hinder a cause or an endeavor; deliberate subversion.tr.v. sab·o·taged, sab·o·tag·ing, sab·o·tag·esTo commit sabotage against.

Leaving a backdoor open destroys no property and hinders no endeavors.

Someone using the backdoor for nefarious purposes could destroy property and hinder endeavors, but the folks at Barracuda had no more to do with that than Ford has to do with drunk driving deaths, no more than Leggs has to do with bank robberies, etc. This assumes, of course, the folks at Barracuda weren't using this backdoor for nefarious purposes to destroy property and hinder endeavors, but the article doesn't suggest that.

"obstruction of normal operations"

I guess you may argue that 'normal operations' includes the default settings, but lets be real here. A firewall is intended to stop unwanted access. Intentionally putting a back door in, or failing to remove--or at least document--it due to incomptetence (the only two possibilities) would count as obstructing the systems ability to stop unwanted access in my book.

At what point are vendors and their programmers going to realise that the "back doors" they put into their products are increasingly less likely to be used by them in their maintenance activities than by black hats?

I would be interested to hear whether Barracuda did a cost/benefit check on "Guys, I reckon this product needs a back door". Because regardless of how little damage this particular incident would allow a bad guy to do, it is enormous reputational damage and I would expect some major contracts to be lost over the next few months simply because of this story.

For the people saying "Oh, it's a non-story because it's non-privileged access", wrong. It is a story because Barracuda did not tell their customers about it. What other non-documented "features" have they built into their devices? The assumption has switched from "they have security covered" to "well, they made a blunder over there, what else is there?".

That would (should) be the purchaser. I no longer buy IT stuff (happily), but when I did, every contract included this:

"No Undisclosed Access: Vendor represents and warrants that the System as delivered, and as maintained during the term of this agreement, contains no login procedure, user ID, access code, or means of gaining access to any function of the System which is not described in the documentation delivered with the System. Vendor will provide all information necessary for [us, the purchaser] to change any and all passwords or other facilities for gaining access to any function of the System. No limitation of liability nor limitation of consequential damages shall apply to this provision."

The kind of "stuff" I was buying was generally expensive enough that contract negotiations took place. Vendors who could not or would not agree were shown the door. These days, I'd change "passwords" to "mechanisms."

That would be redundant. Unless of course you are under the assumption your first firewall has a backdoor.

Actually it makes sense. Any security vulnerability that one firewall has will be blocked by the other (assuming models from different vendors). This practice is quite common for institutions that take security seriously.

[snip] Leaving a backdoor open destroys no property and hinders no endeavors.

Someone using the backdoor for nefarious purposes could destroy property and hinder endeavors, but the folks at Barracuda had no more to do with that than Ford has to do with drunk driving deaths, no more than Leggs has to do with bank robberies, etc. This assumes, of course, the folks at Barracuda weren't using this backdoor for nefarious purposes to destroy property and hinder endeavors, but the article doesn't suggest that.

Leaving a backdoor open provides an exposure that shouldn't exist. Deliberately leaving such a back door is a breach of trust with one's customers. There's no excuse for it. If you want to make an analogy with Ford, a better one would be the exploding gas tanks in the Ford Pinto. They didn't do any harm unless someone rear-ended you; then you burned to death.

I noted they aren't identifying the block owners. I assume they are state actors and this was all very purposeful. If I had any of their gear I'd be demanding all the blocks and then null routing them (before it even hit the firewall)...

The blocks are:205.158.110.0/24216.129.105.0/24(from one of the linked articles)

article wrote:

These ranges include some servers run by Barracuda Networks eg.spam04.barracuda.com (216.129.105.22)forum.barracudanetworks.com (216.129.105.38)barracudacentral.org (216.129.105.40)repsrv.barracuda.com (216.129.105.42)mirror01.barracudacentral.com (216.129.105.94)...

Another disturbing facet is that Barracuda is either lazy or cheap. The blocks mentioned by alpha_dk are really subsets of those owned by XO Communications and Layer42 Networks, respectively. These blocks are used for colocation services by the providers.

So, we have two possibilities here:1. Barracuda has static IPs with each colo, but was too lazy to use them in the remote access ACLs.2. Or, Barracuda was too cheap to spring for static IPs.

If it weren't such a serious issue, it would be almost comical that the other organizations (possibly some Mom 'N' Pop shops) don't even know they have backdoor access to tens of thousands of appliances around the world.

Imagine the bank you banked at used this firewall and the only thing protecting your life savings was the user name PRODUCT, a blank password, and the hopes that someone doesn't know how to spoof an IP address.

So ?If someone hacks into a bank and takes money, it's the bank's problem - not yours. That's the entire reason you put money into banks in the first place - because it's guaranteed by both the bank and your government.

That's not meant to diminish the importance of this flaw - it's just to illustrate that you don't need to care about the electronic security of your bank, in the same way that you aren't going to lose any money when they're hit by an armed robbery :-)